Posted
by
Soulskill
on Friday October 29, 2010 @11:12AM
from the hamster-escape-route dept.

quartertime writes "Remember Reflections on Trusting Trust, the classic paper describing how to hide a nearly undetectable backdoor inside the C compiler? Here's an interesting piece about how to hide a nearly undetectable backdoor inside hardware. The post describes how to install a backdoor in the expansion ROM of a PCI card, which during the boot process patches the BIOS to patch grub to patch the kernel to give the controller remote root access. Because the backdoor is actually housed in the hardware, even if the victim reinstalls the operating system from a CD, they won't clear out the backdoor. I wonder whether China, with its dominant position in the computer hardware assembly business, has already used this technique for espionage. This perhaps explains why the NSA has its own chip fabrication plant."

Wikipedia, as linked in the summary: "Its secure government communications work has involved the NSA in numerous technology areas, including the design of specialized communications hardware and software, production of dedicated semiconductors (at the Ft. Meade chip fabrication plant), and advanced cryptography research. The agency contracts with the private sector in the fields of research and equipment."

A good example of this is Lojack for Laptops to see about having stuff in hardware be able to keep a program installed and hidden.

I have built and imaged hundreds of Sourcefire servers and THOUSANDS of desktop PC's for the NSA and their hardware is (mostly) the same thing everyone else buys. Alot of Dell. Most of the people I worked with only held a Postition of Public Trust security clearance if any. I had none at the time and was only bonded with a background check. They didnt even care about the Felony that was 10 years old.

This could be what malware could do. Take some of the newer botnet clients that have modules for everything, be it trying to climb out of a VMWare machine, try to get around sandboxie, or other items. Malware could try to find items that are flashable, and reflash them with code for hooks to malware, or even worse an active keyboard logger. It was mentioned a while back in a previous/. article about a major computer maker with keyboard HIDs that were flashable with new code. So, if one got root on the box, it wouldn't be hard to reflash the keyboard with a keylogger that could store keystrokes, or just send them as packets to the blackhat's site.

Other than cellphone makers, a lot of devices really don't put much in the way of protecting their BIOS against rogue code, so it isn't farfetched to reflash a sound card, a NIC, a Northbridge/Southbridge controller, a video card, motherboard BIOS, or any other subsystem with malicious programming.

Your right, this is well known... but not by everybody. Every minute new babies are born... grow up and have the told everything that everyone already knows, because they don't.

So every second, new slashdotters come on and have to learn that yes, you have to be able to trust the hardware you use for security to mean anything. See, you ALREADY left a IMPORTANT part out. You say "you have to trust your hardware", this implies that you just have no choice but to trust it. In reality, you got to ask yourself, who designed the hardware I am relying on and can they and their suppliers/contractors be trusted. Answer: rarely. Reality is that most of us just ain't intresting enough to monitor at high levels.

This always amuses me with people at say Freenet. All of them seem so pampered in our western nations they can't conceive of how a true dictarorship can work. Encrypt? Who sold you that CPU that is doing the encryption? Darknet? When all the traffic flows through a government router. This is naive as saying that when you plug your lights straight into the grid, before the meter, the electricity company (the state) won't know about the 100 watt light streaming out of your windows...

Fact: there are those who would like to spy. Fact: A good method is to get the place you want to spy on to have a device inside, you control and can use to get data out. Fact: Those who wish to spy, make PC's that are brought into the places that they want to spy on and contain the data they wish to get.

If the Chinese AIN'T doing this, they are either afraid the west (and their own people) check all their hardware, ain't all that intrested because there are methods less likely to risk their trade or they are really stupid.

The Chinese ain't stupid and the west doesn't check all the time. Leaves that China doesn't want to risk trade by making their products suspect if just one nerd with a packet sniffer finds something.

It is worth keeping in mind however that the risk is there. Can the US afford to loose more and more of its chip production? We already saw what happens with rare earth materials. This stuff is all over the globe, the US got piles of it, Russia is drowning in it BUT it all seemed so easy to have ONLY the Chinese invest in mining it. Now the rest of the world needs years to get their own production up to scratch.

Say China starts a war (against Russia for resources) today... how long can the US afford to get its war production up to speed without Chinese/Taiwanese goods? Goods that might at the flick of a switch all contain spyware?

Gosh, maybe some generals should play Civ a bit more. See how things can change on a single turn.

Remember when the Pentium chip was first released and there was a flaw found in the processor? The flaw was most commonly demonstrated in something like the eleventh decimal place in a mathematical calculation which could be made inside an Excel spreadsheet. Intel released a firmware fix that compensated (obviously they were not about to recall, retool, and replace all of thsoe chips). That sort of hardware "flaw" exists in almost any hardware chip of sufficient complexity. I believe it is a mathematical nuance of binary logic gates; somewhat analogous to algorithms which purport to generate prime numbers or pythagorean triples--eventually the algorithm breaks down and it misses one, then it misses a few, then it begins missing a whole bunch, then eventually the algorithm is marginally useless and a new algorithm must be applied to reliably continue to find the (n+1)th prime number or pythagorean triple.

These hardware flaws exist in your routers, in your processors, in your sound cards, in your video cards, even in your monitors and the chips of your hard drives and, now that microchip technology is sufficiently advanced and complex, in darn near anything which does more than basic mathematical calculations presented on a mantissa.

No technology has ever been released to the mass public without first knowing its flaws--and there will be flaws. It is an unavoidable result of the mathematics behind binary logic. I believe that most programmers begin to come in contact with this premise when they are asked, in intermediate programming courses, to write code for multiplication and division, especially with floating point numbers, performed using binary registers.

If you think your internets are safe then think again. All your base belong to the people who wrote it.

Wikipedia, as linked in the summary: "Its secure government communications work has involved the NSA in numerous technology areas, including the design of specialized communications hardware and software, production of dedicated semiconductors (at the Ft. Meade chip fabrication plant), and advanced cryptography research. The agency contracts with the private sector in the fields of research and equipment."

I dunno about the NSA, but I do know that *my* semiconductor fabrication company has a dedicated military fab line in California, and if the DoD orders a simple voltage regulator and is willing to pay for the extra cost, the fab goes through the layout, makes sure it's good, and runs it and packages it in a secure facility. I've not *seen* this, but coworkers have been in the fab and said that where most engineers in our company have Dilbert cartoons up, everyone in that facility has posters of military aircraft -- that it's like a military facility inside our company. Apparently they have full production capability: silicon design, fabrication, packaging, applications engineering, test engineering, and production engineering.

I know my company's aversion to spending money. They wouldn't *do* this unless it was economically profitable, which means we're actively pitching our secure fabrication capability to buyers, so anyone who is buying compromised hardware is doing so knowing the risk.

Well, actually you can't prove they aren't directly involved in field work because the agency is exempt from publishing exactly what they do under joint domestic investigations with the FBI (which is probably more common than anybody would like to believe).

Certainly the feds aren't going to "break in" and plant such a device, but who's to say the hardware we buy doesn't contain such hidden malware from the production line? All hardware sold in the US was "bugged" during the cold war because 1% of it ended up in use by foreign powers... fax machines and CRT monitors were designed to facilitate remote data collection...